Abstract

User authentication in wireless sensor networks (WSNs) is a critical security issue due to their unattended and hostile deployment in the field. Since sensor nodes are equipped with limited computing power, storage, and communication modules, authenticating remote users in such resource-constrained environments is a paramount security concern. To overcome the weaknesses of Yeh et al.’s protocol, we proposed a new authentication protocol for wireless sensor networks using elliptic curves cryptography. The comparisons show that our protocol is more suitable for WSNs.

1. Introduction

Wireless sensor networks (WSNs) are becoming more and more popular in everyday life as they offer economically viable, real-time monitoring solutions. These wireless sensors can be quickly and easily deployed in hostile environments, and WSNs are now widely used in a variety of real-time applications, such as vehicular tracking, habitat monitoring, environment control, military surveillance, healthcare monitoring, wildlife monitoring, and traffic monitoring. One recent survey declared that, in the near future, WSNs will become an intelligent and integral part of daily lives [1].

A WSN consists of a discrete group of independent, low cost, and low power nodes with limited memory and computation power. They communicate wirelessly over limited frequency and low bandwidth [1]. More specifically, sensor nodes collectively monitor the area and sense substantial amounts of data, which are transmitted to the base station traversing some nodes via RF signals and routing schemes.

A key requirement for WSN is user authentication [2, 3]. The client devices (remote wireless sensor nodes) need to be authenticated before being allowed to join the WSN and have access to the WSN’s resources. To date, most user authentication methods have focused on protocol implementations in the network and link layers. It should be noted that, in order to limit power consumption by sensor nodes and to overcome limitations in computation capacity, user authentication in a WSN is typically done in dedicated gateway node (GW node) [1].

In 2004, Sastry and Wagner [4] proposed a security enhancement using access control lists (ACLs) in the GW node. In Sastry and Wagner’s protocol, an ACL would be maintained besides the client’s identity and the arranging of the nearest sensor node. Watro et al. [5] proposed a user authentication protocol employing RSA and Diffie-Hellman algorithms, but this protocol is open to hostile attack by a user masquerading as a sensor node. Wong et al. [6] proposed a dynamic user authentication protocol using hash function. Das [7] and Tseng et al. [8] demonstrated that both Watro’s and Wong’s user authentication methods were vulnerable to stolen-verifier, replay, and forgery attacks. To improve the security, Das [7] proposed a two-factor user authentication protocol. In 2007, Tseng et al. [8] show that Wong’s protocol was vulnerable to stolen passwords. Tseng et al. also proposed an enhanced user authentication protocol to improve overcome the weakness. However, Khan and Alghathbar [9, 10] show that Das’ protocol did not provide mutual authentication between gateway node and sensor node and was vulnerable to gateway node bypassing attack and privileged-insider attack. Chen and Shih [11] also demonstrated that Das’ protocol did not provide mutual authentication between gateway node and sensor node. Chen and Shih [11] also proposed a more secure and robust two-factor user authentication in WSNs. Unfortunately, Yeh et al. [12] found that Chen and Shih’s protocol failed to provide a secure method for updating user passwords and was vulnerable to the insider attack problem. To improve the performance and the security, Yeh et al. [12] proposed the first user authentication protocol for WSNs using the elliptic curve cryptography (ECC). ECC was first proposed by Miller [13] and Koblitz [14], and its security was based upon the difficulty of elliptic curve discrete logarithm problem. Compared with the other cryptography, ECC offers a better performance because it can achieve the same security with a smaller key size. For example, 160-bit ECC and 1024-bit RSA have the same security level in practice [15]. Thus, ECC-based authentication schemes are very suitable for WSNs.

Unfortunately, Han [16] found that the Yeh et al. protocol had the following weaknesses: (1) no mutual authentication between the user and the sensor node, (2) no perfect forward secrecy, and (3) no key agreement between the user and the sensor node. To overcome the weaknesses of Yeh et al.’s protocol, we propose a new ECC-based user authentication protocol for WSNs.

The remainder of this paper is organized as follows. In Section 2, we propose our ECC-based authentication protocol for WSNs. The security analysis of the proposed protocol is presented in Section 3. In Section 4, performance analysis is presented. Conclusions are given in Section 5.

2. The Proposed Protocol

To solve the weakness of Yeh et al.’s scheme, we propose a new ECC-based user authentication protocol for WSNs. Thus, before issuing a query to a sensor node, each user must register with the gateway in a secure manner so that they can access the real-time sensors’ data. Upon the successful user registration request, the gateway node personalizes a smart card for every registered user. Then, a user can submit his query in an authentic way and access the sensor network data at any time within an administratively configurable period [6].

In order to execute the proposed framework, we considered that the gateway is a trusted node and it holds two master keys ( and ), which are sufficiently large for the sensor network. Before starting the system, it is assumed that the gateway and the sensor nodes share a long-term common secret key, that is, using any key agreement protocol. For example, Watro et al. [17] demonstrated that, with the careful design, D-H key agreement protocol [18] can be easily deployed on most constrained devices. Here, is a collision-free one-way hash function (i.e., SHA-1), which has an output length of 160 bits [19] and is used throughout this paper.

It is assumed that some identical secure symmetric cryptosystems are publicly available and stored in the gateway and the sensor node. As a result only the users registered with the gateway have access privileges to the sensors, which share a long-term secret with the gateway. The framework is divided into four phases, namely, user registration phase, login phase, authentication phase, and password update phase. For convenience, the notations used throughout this paper are summarized as follows:: two large prime numbers;: a finite field;: an elliptic curve defined on finite field with large order;: the group of elliptic curve points on ;: a point on elliptic curve with order ;: a user;: the user identity;: the user password;GW node: the gateway node of WSN;: a sensor node of WSN;: the sensor node identity;: the master keys of GW node;: a secure one-way hash function;||: a string concatenation operation;: a string XOR operation;ECDLP: the discrete logarithm problem, that is, given to compute such that ;ECCDHP: the computational Diffie-Hellman problem, that is, given to compute .

2.1. Registration Phase

In this phase, user has to submit an identity, , and a password, , to the GW node in a secured way. Then, the GW node issues a license to . The detailed steps are depicted as follows.(1) chooses his identity and password , generates a random number , and computes . Then, sends and to the GW node.(2)Upon receiving the registration request, GW node computes , , and . Then GW node stores into a smart card and sends it to the user .(3)After receiving the smart card, the user inputs into it and finishes the registration.

2.2. Login Phase

When enters an and a in order to deliver some query to or access data from the WSN, the smart card must perform the following steps to validate the legitimacy of . Figure 1 shows both the login phase and the authentication phase.(1)User inserts his smart card into the terminal and enters his identity and password .(2)The smart card computes and and checks whether . If it does not hold, the smartcard stops the request. Otherwise, the smart card computes . Then the smart card generates a random number and computes , , and , where is the current timestamp of ’s system. At last, the smart card sends the login message to .

Figure 1: The login phase and the authentication phase of our scheme.

2.3. Authentication Phase

After receiving the login request message at time , the sensor node executes the following steps to authenticate ’s requests by the following steps.(1) checks whether holds, where is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and proceeds to the next step. If no, the rejects the request.(2) generates a random number and computes and , where is the current timestamp of ’s system. At last, sends to GW node.

After receiving the message at time , GW node performs the following actions.(1)GW node checks whether and hold, where is the legal time interval for transmission delay. If the answer is yes, the validity of and can be assured, and GW node proceeds to the next step. If no, GW node rejects the request.(2)GW node uses long-term key to check whether the equation holds. If the equation does not hold, GW node stops the session. Otherwise, GW node computes using his master key . Then, GW node checks whether the equation holds. If the equation does not hold, GW node stops the session. Otherwise, GW node computes and . At last, GW node sends the message to .

After receiving the message at time , performs the following actions to authenticate and GW node.(1) checks whether holds, where is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and proceeds to the next step. If no, rejects the request.(2) uses long-term key to check whether the equation holds. If the equation does not hold, stops the session. Otherwise, computes , , and the session key sk = and sends to the smart card.

After receiving the message at time , the smart card performs the following actions to authenticate .(1)The smart card checks whether holds, where is the legal time interval for transmission delay. If the answer is yes, the validity of can be assured, and the smart card proceeds to the next step. If no, the smart card rejects the request.(2)The smart card computes and checks whether the equations and hold. If either of the two equations does not hold, the smart card stops the session. Otherwise, is authenticated and the smart card computes the session key .

2.4. Password Update Phase

The password update phase is invoked whenever user wants to update his old password . The password update phase is described below.(1)User inserts his smart card into the terminal and enters his identity , the old password , and the new password .(2)The smart card computes and and checks whether . If it does not hold, the smart card stops the request. Otherwise, the smart card computes , , and . At last, the smart card replaces with .

3. Security Analysis

In this section, we will discuss the security of our protocol as follows.

Mutual AuthenticationOur scheme provides mutual authentication, where all entities (i.e., user, gateway, and sensor nodes) are mutually authenticating each other. More specifically, when the GW node receives the message , it can make sure that the user message is included in the sensor node message . When the sensor node receives message , it ensures that this message is generated by the GW node. Furthermore, when the user receives message , he can also confirm that this message is generated by the sensor node. Hence, mutual authentication is achieved.

Replay AttacksOur scheme is resistant to replay attacks, because the authenticity of messages , and is validated by checking the freshness of four timestamps. Let us assume an intruder intercepts a login request message and attempts to access the sensor node by replaying the same message . The verification of this login attempt fails since the time difference expires (i.e., ). Similarly, if an intruder intercepts a valid message and attempts to replay it to the GW node, the verification request will fail at the GW node because the time difference expires again (i.e., ). Thus, our protocol is secure against replaying of messages.

User Impersonation AttacksAn attacker cannot impersonate the user. Suppose an attacker forges a login message . Now, he will again try to login into the system with the modified message . However, the attacker cannot forge without knowing or the master key since he will be faced with ECDLP. Therefore, it is not possible to impersonate the user.

Sensor Impersonation AttacksAs long as an attacker does not know the secret key , he cannot generate a legal message . Then he cannot cheat the gateway. At the same time, he cannot generate a legal message without knowing the master key . Therefore, it is not possible to impersonate the sensor.

Gateway Impersonation AttacksAs long as an attacker does not possess the secret key , he cannot impersonate the gateway and cannot cheat the sensor node. Hence, it frustrates attackers to generate the valid message to the sensor node. Therefore, it is not possible to impersonate the gateway.

Man-in-the-Middle AttackMan-in-the-middle attack means that an active attacker intercepts the communication line between a legal user and the server and uses some means to successfully masquerade as both the server to the user and the user to the server. Then, the user will believe that he is talking to the intended server and vice versa. From the above discussion we know that our protocol can provide mutual authentication, and then the “man-in-the-middle” attack can be resisted.

Stolen-Verifier AttacksAn attacker who steals the password verifier (e.g., hashed passwords) from the gateway can use the stolen verifier to impersonate a legal user to login to the system. The proposed scheme is free from the stolen verifier attack. There is no such information stored at the server, by which an adversary can make a fabricated login request to impersonate a legal user to login the server or can impersonate the gateway to cheat the legal user and the sensor node.

Insider AttacksIt is possible in a real-time environment, when the gateway manager or system administrator can use the user password (e.g., weak password), to impersonate the user through any other network gateways. In this case, our scheme does not give any room for privileged insiders, since, in the registration phase, the user is passing instead of the plain password. Thus, the insider of the GW node cannot get easily. Here, is a sufficiently high entropy number, which is not revealed to the GW node. Furthermore, the proposed scheme does not store any verifier table and can resist the insider attacks.

Perfect Forward SecrecyA protocol is said to be perfect forward secrecy if compromise of the three private keys of the participating entities does not affect the security of the previous session keys. Two aspects are related to this notion, that is, perfect forward secrecy (p-FS) and master key perfect forward secrecy. p-FS means that the compromise of both user’s and sensor node’s long-term private keys would not affect the secrecy of the previously established session keys. Master key p-FS is satisfied if the session key secrecy still holds even when the server’s master key is compromised. Our protocol satisfies both p-FS and master key p-FS by using or as the shared secret. If user’s private keys or gateway’s master key is compromised, the adversary cannot compute or from and since he has to solve the ECCDHP, thus satisfying both p-FS and master key p-FS.

4. Performance Comparison

For the convenience of evaluating the computational cost, we define some notations as follows.: the time of executing a scalar multiplication operation of point.: the time of executing an addition operation of points.: the time of generating a random number point.: the time of executing a map-to-point hash function.: the time of executing a one-way hash function.

In Table 1, we summarize the performance results of the proposed protocol. In Table 1, we know that the user, the sensor node, and the gateway require , , and , separately. From the theoretical analysis [20] and the experimental result [21, 22], we know that the relative computation cost of generating a random number point and executing a map-to-point hash function is about times that of the scalar multiplication.

Table 1

Besides, the computation costs of are considerably higher than and . Then, the computational costs of the user, the sensor node, and the gateway in Yeh et al.’s protocol are about , , and , separately. The computational costs of the user, the sensor node, and the gateway in our protocol are about , , and , separately. Then our protocol has better performance at the sensor node side and the gateway side. Moreover, Yeh et al.’s protocol cannot provide (1) mutual authentication between the user and the sensor node, (2) perfect forward secrecy, and (3) key agreement between the user and the sensor node, and then our protocol enhances the security at the cost of increasing user’s computation cost slightly.

5. Conclusions

This paper provides a new ECC-based user authentication protocol for WSNs. The proposed protocol performs more efficiently in terms of computation cost, communication cost, and security. Compared with the protocol of Yeh et al., the proposed protocol in this paper can prevent general security issues and provide mutual authentication to protect inside security and outside security. Therefore, the proposed protocol is more suited to WSNs environments.

Acknowledgments

The authors thank the editors and the anonymous reviewers for their valuable comments. This research was supported by National Natural Science Foundation of China (nos. 61202447 and 61201180), Natural Science Foundation of Hebei Province of China (no. F2013501066), Northeastern University at Qinhuangdao Science and Technology Support Program (no. xnk201307), Beijing Natural Science Foundation (no.4132055), and Excellent Young Scholars Research Fund of Beijing Institute of Technology.